From c73a99ef902b21cc0ed2b03daffa9f1adfb70412 Mon Sep 17 00:00:00 2001 From: Sergey Sharybin Date: Thu, 7 Nov 2019 16:50:31 +0100 Subject: Initial implementation of code signing routines This changes integrates code signing steps into a buildbot worker process. The configuration requires having a separate machine running with a shared folder access between the signing machine and worker machine. Actual signing is happening as a "POST-INSTALL" script run by CMake, which allows to sign any binary which ends up in the final bundle. Additionally, such way allows to avoid signing binaries in the build folder (if we were signing as a built process, which iwas another alternative). Such complexity is needed on platforms which are using CPack to generate final bundle: CPack runs INSTALL target into its own location, so it is useless to run signing on a folder which is considered INSTALL by the buildbot worker. There is a signing script which can be used as a standalone tool, making it possible to hook up signing for macOS's bundler. There is a dummy Linux signer implementation, which can be activated by returning True from mock_codesign in linux_code_signer.py. Main purpose of this signer is to give an ability to develop the scripts on Linux environment, without going to Windows VM. The code is based on D6036 from Nathan Letwory. Differential Revision: https://developer.blender.org/D6216 --- build_files/buildbot/slave_pack.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'build_files/buildbot/slave_pack.py') diff --git a/build_files/buildbot/slave_pack.py b/build_files/buildbot/slave_pack.py index 5bef2b81739..19dac236762 100644 --- a/build_files/buildbot/slave_pack.py +++ b/build_files/buildbot/slave_pack.py @@ -22,10 +22,13 @@ # system and zipping it into buildbot_upload.zip. This is then uploaded # to the master in the next buildbot step. -import buildbot_utils import os import sys +from pathlib import Path + +import buildbot_utils + def get_package_name(builder, platform=None): info = buildbot_utils.VersionInfo(builder) @@ -38,6 +41,12 @@ def get_package_name(builder, platform=None): return package_name +def sign_file_or_directory(path): + from codesign.simple_code_signer import SimpleCodeSigner + code_signer = SimpleCodeSigner() + code_signer.sign_file_or_directory(Path(path)) + + def create_buildbot_upload_zip(builder, package_files): import zipfile @@ -129,6 +138,8 @@ def pack_win(builder): package_filename = package_name + '.msi' package_filepath = os.path.join(builder.build_dir, package_filename) + sign_file_or_directory(package_filepath) + package_files += [(package_filepath, package_filename)] create_buildbot_upload_zip(builder, package_files) -- cgit v1.2.3